How do I grep this nmap scan?

Sedulous picture Sedulous · Jan 25, 2014 · Viewed 17.4k times · Source

I'm using nmap to scan for SSH enabled servers. This is what nmap outputs from the scan:

SSH disabled server example:

Nmap scan report for 70.0.0.109.rev.sfr.net (109.0.0.70)
Host is up (0.15s latency).
PORT   STATE  SERVICE
22/tcp closed ssh

SSH Enabled server example:

Nmap scan report for 255.0.0.109.rev.sfr.net (109.0.0.255)
Host is up (0.12s latency).
PORT   STATE    SERVICE
22/tcp filtered ssh

I want to use grep to export all of the SSH enabled servers into a file. The file will only contain the IP addresses of the SSH enabled servers.

For example:

1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5

I couldn't find the grep command that will do this. I just need to export the SSH enabled IP addresses to a file using grep (or any other Linux command for that matter). Thanks, all help is appreciated. (By the way, I'm reading this nmap scan from a file)

Answer

larsks picture larsks · Jan 26, 2014

First, you probably want to spend some time with the nmap man page, which will show you useful options like the -oG option, which produces "greppable output". For example, when run on my home network, like this:

$ nmap -p 22 -oG - 192.168.1.0/24

I get output like this:

Host: 192.168.1.1 (gw.house)    Status: Up
Host: 192.168.1.1 (gw.house)    Ports: 22/closed/tcp//ssh///
Host: 192.168.1.3 ()    Status: Up
Host: 192.168.1.3 ()    Ports: 22/closed/tcp//ssh///
Host: 192.168.1.20 (fileserver.house)   Status: Up
Host: 192.168.1.20 (fileserver.house)   Ports: 22/open/tcp//ssh///
Host: 192.168.1.29 ()   Status: Up
Host: 192.168.1.29 ()   Ports: 22/closed/tcp//ssh///
Host: 192.168.1.52 (laptop.house)   Status: Up
Host: 192.168.1.52 (laptop.house)   Ports: 22/open/tcp//ssh///

If I want a list of ip addresses with port 22 open, I can just run:

$ nmap -p 22 -oG - 192.168.1.24 | grep 22/open

Which would get me:

Host: 192.168.1.20 (arcadia.house)  Ports: 22/open/tcp//ssh///
Host: 192.168.1.52 (lkellogg-pk115wp.house) Ports: 22/open/tcp//ssh///

And if I wanted just the ip address, I would use awk:

$ nmap -p 22 -oG - 192.168.1.24 | awk '/22\/open/ {print $2}'

Which would get me:

192.168.1.20
192.168.1.52

...which is I think what you are looking for.